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Abstract 

Formal methods research is beginning to produce methods which will enable mathematical modeling of the 
physical behavior of digital hardware and software systems. The development of these methods directly 
supports the NASA mission of increasing the scope and effectiveness of flight system modeling capabilities. 

The conventional, continuous mathematics that is used extensively in modeling flight systems is not adequate 
for accurate modeling of digital systems. Therefore, the current practice of digital flight control system design 
has not had the benefits of extensive mathematical modeling which are common in other parts of flight system 
engineering. 

Formal methods research is showing that by using discrete mathematics, very accurate modeling of digital 
systems is possible. These discrete modeling methods are still in an embryonic stage. But when they arc fully 
developed, they will bring the traditional benefits of modeling to digital hardware and software design. Sound 
reasoning about accurate mathematical models of flight control systems can be an important part of reducing tlx 
risks of unsafe flight control. 
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"Formal Methods" Enable 

Mathematical Modeling 

of 

Digital Systems 
(Hardware and Software) 

NASA Mission Objective : Increase the scope and 
effectiveness of flight system modeling 
capabilities. — Lee Holcomb, NASA HQ, 1990. 

v > 



note-82. mss: 2 


08/27/90 



Why Model? 

For either design of a new system or operation of 
an old one, modeling provides... 

Benefits: early error detection 

• Saves time 

• Saves money 

• Saves operational disruption 

• Saves operational mishaps 

Risks: model misrepresents system 

• Inaccurate 

• Incomplete 

Kinds of models: physical, analog, schematic, 
mathematical. 

Blanchard and Fabrycky. Systems Engineering 
and Analysis , Prentice Hall, 1990. 
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Why a Mathematical Model? 

• High abstraction 

• High precision 

• Simulate by manipulating symbols 

• Represent large classes of system states 

• Use mathematical deduction 

Get a lot of system simulation for a little symbol 
manipulation. 
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Operational Safety 


Operating a system safely requires 

• accurate predictions 
of how it will behave. 

Accurate predictions can be obtained from 

• sound deductions about 

• accurate mathematical models 
of system behavior. 
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A Classic Model 


Free Fall Distance: 

f (b, t) = [g (b) * t**2] / 2 

g(b) = if b="earth" then 32 
else if b=”moon" then . . . 

t is time (sec) 

f(b,t) is distance (ft) 

Simulation: 

f ("earth", .7) = [32 * .7**2] / 2 

= 16 * .49 

= 7.84 ft 
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Power of Mathematical Deduction 


Suppose 0 le tO le tl. 

t in [tO . . tl] 

f ( "earth" , t) in (32 * [t0..tl]**2) / 2 

f ("earth”, t) in 16 * [t0..tl]**2 

f ("earth", t) in 16 * [t0**2 . . tl**2] 

(** is monotonic) 


Physical simulation of this result is impossible 
because [to..ti] contains an infinite number of 
values. 
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Validating a Model 

• Ultimately, the accuracy of a model of a 
physical system must be validated by testing it 
against measured, observed behavior of the 
actual physical system. 

• One cannot construct a mathematical pro of that 
a model is an accurate representation of a 
physical system. 

• Typically, one iterates through a process of 

• stating a mathematical model 

• testing it against physical observations 

• adjusting the model 
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Hardware Model Observables 

A hardware system 
is composed 
of physical switches. 


Nancy Stern. From ENIAC to UNIVAC: An 
Appraisal of the Eckert-Mauchly Computers . 

Digital Equipment Corporation, 1981. 

Next page. 
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ORIGINAL PAGE 

8LACK AND WHITE PHOTOGRAPH 



ORIGINAL PAGE IS 
OF POOR QUALITY 








Use Discrete Mathematics 
to Model Hardware 

Switches by binary digits 
Operation by recursive functions 


| 01100001111 I 


si I 10100110000 | 


s2 111100010101 


o o o 
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An MC68020 Machine Model 


MC68020 (s,n) = 

if haltp(s) or n=0 
then s 

else MC68020 (NEXT (s) , n-1) 

NEXT ( S ) = 

if evenp(pc(s)) 

then if pc_readp (mem(s) , pc (s) ) 
then EXECUTE (FETCH (pc (s) , s) , 

update p c ( s ^ • • •)) 
else halt (s, pc_signal) 
else halt (s, pc_odd_signal) 

EXECUTE ( ins , s ) = 

[50 pages for 90% user ins.] ... 

Provides a mathematically precise and consistent 
machine language reference manual. 


Yuan Yu. PhD Thesis (in progress) . University of 


Texas. 
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The VIPER Machine 

A 32-bit microprocessor "whose functions are 
totally predictable." 

• Accumulator 

• 2 index registers 

• Program counter 

• Comparison register 

• 16 instructions 

Avra Cohn. A Proof of Correctness of the VIPER 
Microprocessor: The First Level . Technical 
Report 104, University of Cambridge Computer 
Laboratory, January, 1987. 

W. J. Cullyer. Implementing High Integrity 
Systems: The VIPER Microprocessor . In 
Computer Assurance, COMPASS 88. IEEE, June, 
1988. 
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A VIPER Machine Model 


NEXT (ram, p, a, x, y , b, stop) = 
if stop 

then (ram, p, a, x, y, b, stop) 
else (noinc \/ illegaladdr) \/ 

if (illegalcl \/ illegalsp) 

\/ (illegalonp \/ illegalwr) 
then (ram, newp, a, x, y,b, T) 

else . . . [about 7 pages] . . . 

where 


ram - a memory of 32 -bit words 
p - 20 -bit program counter 

a - 32-bit accumulator 

x,y - 32-bit index registers 

b - 1 bit compare result register 

stop - stop flag 
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The FM8502 Machine 


r 


A 32-bit microprocessor. 

• 2 address architecture 

• 4 addressing modes 

• 8 general purpose registers 

• 2 19 20-bit instructions 


Warren A. Hunt, Jr. FM8501 : A Verified 
Microprocessor . Ph.D. Thesis, The University of 
Texas at Austin, 1985. 

— , Microprocessor Design Verification . Journal 
of Automated Reasoning. Vol. 5, No. 4, Dec 1989. 


V J 


note-82. mss: 15 


08/27/90 



An FM8502 
Machine Model 


FM8502 (ms, mn) = 

if not (listp (mn) ) 
then ms 

else FM8502 (NEXT (ms) , 

rest (mn) ) 

NEXT (ms) = 

list (next__memory (ms) , 

next__register_f ile (ms) , 
next_carry_flag (ms) , 
next__overf low_f lag (ms) , 
next_zero_f lag (ms) , 
next negative flag (ms) ) 


. . . [about 10 pages] . . . 
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An FM8502 

Register Transfer Model 

GATES ( gs , gn ) = 

if not (listp (gn) ) 
then gs 

else GATES (COMB_LOGIC (gs, car (gn) ) , 

cdr (gn) ) 

COMB__LOG I C (gs , gn) = 

... [on bit operators, e.g., b xor] 


gs 

regs 

flags 

mem 

int-regs - 


[regs, flags, mem, int-regs] 

8 32-bit vectors 

4 Booleans 

2^2 32-bit vectors 

32-bit vectors for internal 

registers, flags, latches 
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Connecting the Models 



0 

1 
1 

— fm8502 (ms, mn) 

>o 

A 


1 

D (ms) 


u (gs) 

1 


1 

V 


1 

o 

— gates (gs,gn) 

>o 


Theorem: H(ms,mn) -> 

fm8502 (ms , mn) = 

U (gates (D (ms) , Kg (ms, mn, md) ) ) 

Under the conditions h, 

• the fm8502 model is just as accurate as gates 

• but with some details suppressed by u. 
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Software Model Observables 

Programming languages provide 
a wide variety of ways 
of describing them, but 
the observables are still switches, 
and so are programs! 


V J 
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Models of Programmed Machines 

• A machine is programmed by setting the 
switches which it will interpret as instructions 
during its operation. (Before stored-program 
machines, this process was called "setting up" 
the machine.) 


| 01100001111 | 


| prog | data | 

• These switches are the program . They control 
the subsequent operation of the machine. 

• A computer program is a physical control 
mechanism . 

• The bit string "011000" is a mathematical 
description of the control mechanism. 


V J 
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A Model of 

a Programmed Machine 

A model of machine m operating on initial state so 
for k (sO) steps under the control of the program 
described by pO is given by 

M (sO, k (sO) ) 

where 

sO - a machine state such that 

prog (sO) =p0 

prog(s) - a function that extracts the 
program description from s 

Operating Requirements 

A model of a machine programmed to satisfy an 
operating requirement R(sO, sk) is given by 

R(sO, M (sO, k (sO) ) ) 

V J 
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A Program Description, pO 


0B9B OOOD 0002 088B OOOE 0003 004B 0003 00BF OOOE OCDO 004D 0002 0009 0041 0002 
ooor 10CB 0002 0000 31CB 0002 0000 12CB 0002 OOOD 13CB 0002 OOOE OCCB 0002 0004 
ODCB 0002 0005 OECB 0002 0004 OFCB 0002 0007 0041 0002 0008 50CB 0002 OOOO 104B 

0002 OOOD 104B 0003 OOOE 0000 084B 0003 0002 004D 0002 0009 0041 0002 OOOr 004D 

0003 0002 0041 0003 009F OODA 0003 01DE 0003 084B 0003 0002 0041 0003 0008 188B 
0000 0002 398B 0000 0002 1A8B 0000 0003 F04B 0007 0002 D84B 0006 0002 B84B 0005 
0002 984B 0004 0002 784B 0003 0002 584B 0002 0002 0000 OOOE 09F3 004B 0003 OOBF 
OOOE OCDO OOOE OCCA OOOE OCAB 0002 0C86 OOOE 09F3 004B 0003 OOBF OOOE OCDO OOOE 
OCCA 004D 0002 0002 0041 0002 Q0D3 OOCB 0002 0001 01CB 0002 0000 0002 0C86 OOOE 
09F3 0089 0008 0004 0083 0008 0000 OOOA 0A98 0083 0008 0001 OOOA OAFD 0083 0008 

0002 OOOA 0B6A 0002 08A5 084B 0006 0002 0049 0006 0010 084B 0007 0003 004B 0003 
OOBF OOOE OCDO 088B OOOC 0002 084B 0004 0006 004D 0004 0008 084B 0003 0002 004D 

0003 0080 0841 0003 0004 0041 0003 01F3 OOOE OCEl OOOA 0AE7 084B 0002 0007 OOOE 
OCA0 084B 0003 0006 004D 0003 0002 0041 0003 00D3 00C3 0003 0003 0006 0C96 11C3 
0003 OOOC 0006 0C96 OOCB 0003 0000 01CB 0003 0000 0B4B 0002 0006 004B 0003 OOBF 
OOOE OCAB 0002 0C96 004B 0003 OOBF OOOE OCCA 104B 0003 OOOC 004D 0003 0002 0041 
0003 00D3 OOCB 0003 0002 09CB 0003 0006 0002 0C86 084B 0006 0002 0049 0006 0010 
004B 0003 OOBF OOOE OCDO 088B OOOC 0002 084B 0004 0002 004D 0004 0008 084B 0003 
0006 004D 0003 0080 0841 0003 0004 0041 0003 01F3 OOOE OCDD OOOA 0B54 OOOE OCDO 
OOOE OCCA 104B 0003 OOOC 004D 0003 0009 0041 0003 OOOr OBCB 0003 0002 084B 0003 
0006 004D 0003 0002 0041 0003 00D3 00C3 0003 0002 0006 0C96 11C3 0003 OOOC 0006 
0C96 OOCB 0003 0000 01CB 0003 0000 084B 0002 0006 004B 0003 OOBT OOOE 0CA8 0002 
0C96 004B 0003 OOBF OOOE OCCA 104B 0003 OOOC 004D 0003 0002 0041 0003 00D3 OOCB 
0003 0003 09CB 0003 0006 0002 OC06 084B 0007 0003 004B 0003 OOBF OOOE OCDO 088B 
OOOC 0002 084B 0003 0002 004D 0003 0008 0041 0003 0173 OOOE OCEl OOOA 0B8F 084B 
0002 0007 OOOE OCAB 00B6 OOOC 0006 0C96 00A6 OOOC 0002 0C96 004B 0003 OOBF OOOE 
OCCA 104B 0003 OOOC 004D 0003 0002 0041 0003 00D3 OOCB 0003 0004 OlCB 0003 0000 

0002 0C86 004B 0003 OOBF OOOE OCDO 088B OOOC 0002 084B 0003 0002 004D 0003 0008 
0041 0003 00r3 OOOE OCDD OOOA OBCC OOOE OCDO OOOE OCCA 104B 0003 OOOC 004D 0003 
0009 0041 0003 OOOF OBCB 0003 0002 0002 0C96 004B 0003 OOBF OOOE OCCA 104B 0003 
OOOC 004D 0003 0002 0041 0003 OOD3 OOCB 0003 0005 OlCB 0003 0000 0002 0C86 008B 
OOOA 0C86 O08B OOOE 0003 004B 0003 OOBF OOOE OCDD OOOA 0BT7 008B OOOA 0C9F 104B 

0003 OOOE OOOE 09F3 104B 0005 0008 004D 0005 0002 0041 0005 00D3 00C3 0005 0005 
0006 0C13 104B 0002 0008 004B 0003 OOBF OOOE OCAB OOCB 0005 0000 OlCB 0005 0000 
104B 0003 0008 004D 0003 0008 0041 0003 OOF3 OOOE OCEl 0006 0C2A 104B 0002 0009 
0041 0002 0100 OOOE OCHA 0082 OOOA 00B2 0008 0006 0C38 104B 0002 0009 0041 0002 
0100 OOOE OCAB 0082 OOOA 104B 0002 0009 OOOE 0CA8 0082 OOOA 008B OOOA 0C86 08BB 
OOOE 0003 004B 0003 OOBF OOOE OCDD OOOA 0C54 008B OOOA 0C9F 104B 0003 OOOE OOOE 
09F3 104B 0005 0009 004D 0005 0002 0041 0005 00D3 00C3 0005 0004 0006 0C70 104B 
0002 0009 004B 0003 OOBr OOOE 0CA8 OOCB 0005 0000 OlCB 0005 0000 104B 0003 0009 
004D 0003 0008 0041 0003 0173 OOOE OCDD 008A OOOA OOOE OCDO 088F 0009 0002 OOOE 
OCCA 0082 OOOA 004B 0003 OOBr OOOE OCDD OOOA 0C95 OOOE 00)0 OOOE 0A29 OOBA OOOB 
OOA2 0000 0004 004B 0003 OOBF OOOE OCDO OOOE 0A29 OOAE 0000 004B 0003 OOBF OOOE 
OCDO OOOE 0A29 00A2 0000 084B 0004 0003 0041 0004 0004 3841 0004 0003 08CB 0004 
0002 02D6 0003 79C7 0003 0003 0000 384B 0004 0003 7845 0004 0003 0841 0004 0003 
0041 0004 0004 Q8CB 0004 0002 0000 02D2 0003 78C7 0003 0003 0000 084B 0002 0003 
0041 0002 0004 1841 0002 0003 184B 0002 0002 0000 02C3 0003 0000 0000 7AC3 0003 

[752 16-bit words] 

J 


note-82. mss: 22 


08/27/90 


r 

The Kit Separation Kernel 

• Uses a modified FM8501 (ms,mn) machine 

• Interrupts for timer and I/O 

• Process management 

• fixed number of processes 

• process scheduling (round robin) 

• process communication (message passing) 

• response to error conditions 

• Device management for character I/O to 
asynchronous devices 

• Memory management uses hardware protection 

William R. Bevier. Kit: A Study in Operating 
System Verification . IEEE Transactions on 
Software Engineering. November 1989. 

v y 
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Kit Operating Requirement, R 



V 


target machine 
running Kit core image 





The CLInc Stack 


o — uGypsy (yx, yp, yd, yn) ->o 


Compile 


Young 


p display 


piton(ps,pn) >o 


Link-assemble 


Moore 


m display 


fm8502 (ms , mn) >o 


Reify 


Hunt 


g__di splay 


gates (gs,gn) >o 


Warren A. Hunt, J Strother Moore II, William 
D. Young. Journal of Automated Reasoning . Vol, 
5, No. 4, Dec 1989. 
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The Piton Language 

The Piton language has 

• execute-only program space 

• read/write global arrays 

• recursive subroutine calls 

• formal parameters 

• user-visible stack 

• stack-based instructions 

• flow-of-control instructions. 

The cross assembler produces an FM8502 binary 
core image. 
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The Micro Gypsy Language 

The Micro Gypsy subset of Gypsy has 

• types integer, boolean, character 

• one dimensional arrays 

• procedure calls with pass by reference 
parameters 

• sequential control structures if, loop, 

• condition handling signal. .when. 

The compiler produces Piton. 
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The Stack Theorem 


Theorem: H' (yx, yp, yd, yn) -> 

uGypsy (yx, yp, yd, yn) = 

U' (gates (D' (yx,yp,yd), 

Kg' (yx, yp, yd, yn, md) ) ) 

Proof: Mechanically checked. 

Under the conditions h' , 

• the uGypsy model is just as accurate as gates 

• but with many details suppressed by u' . 

Boyer-Moore Logic 

Robert S. Boyer, J Strother Moore II. A 
Computational Logic Handbook . Academic Press, 
1988. 

Matt Kaufmann. A User’s Manual for an Interactive 
Enhancement to the Bover-Moore Theorem 
Prover . TR 19, Computational Logic, Inc., 1988. 

- ) 
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A Hierarchy of Models 
of a Programmed Machine 

R (yxO , ypO , ydO , ydk) 

uGypsy (yxO , ypO , ydO , yk (yxO , ypO , ydO ) ) 

piton(psO, pk(psO)) 

fm8502 (msO , mk(msO) ) 

gates (gsO, gk(gsO)) 

Corresponding to these is a hierarchy of program 
descriptions.... 
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Operating Requirement 

procedure mult (var ans : fm8502_int ; 

i, j : fm8502_int) = 

begin 

ENTRY j ge 0; 

EXIT ans = NTIMES (i , j ) ; 

pending; 

end; 

type fm8502_int = 

integer [-(2**31) . . (2**31)-!] ; 


{A Simple Problem Domain Theory) 

function NTIMES (x, y : integer) : integer = 

begin 

exit (assume result = 
if y = 0 then 0 
else if y = 1 then x 

else x + NTIMES (x, y-1) 
fi fi) ; 

end; 






r~ \ 

Gypsy Program Description 

procedure mult (var ans : fm8502__int ; 

i, j:fm8502_int) = 

begin 

ENTRY j ge 0; 

EXIT ans = NTIMES (i, j) ; 
var k:fm8502_int := 0; 

k := j; 
ans := 0; 
loop 

ASSERT j ge 0 & k in [0..j] 

& ans = NTIMES (i, j-k) ; 
if k le 0 then leave end; 
ans : = ans + i ; 
k : = k - 1 ; 

end; 

end; 


V J 
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Piton Program Description 

(MG-MULT 

(K ZERO ONE B ANS I J) ; f ormals 
NIL ; locals 

(PUSH-LOCAL ANS) ; ans := 0; 

(PUSH-CONSTANT (INT 0)) 

(CALL MG- SIMPLE -CONSTANT- ASSIGNMENT) 

(PUSH-LOCAL K) ;k := j; 

(PUSH-LOCAL J) 

(CALL MG- SIMPLE -VARIABLE -ASSIGNMENT) 

(DL L-l NIL (NO-OP)) ; loop 
(PUSH-LOCAL B) ; b : = k le 0 

(PUSH-LOCAL K) 

(PUSH-LOCAL ZERO) 

(CALL MG-INTEGER-LE) 

(PUSH-LOCAL B) ; if b then leave 

(FETCH-TEMP -STK) 

(TEST-BOOL-AND- JUMP FALSE L-3) 

(PUSH-CONSTANT (NAT 0)) 

(POP-GLOBAL C-C) 

(JUMP L-2) 

(JUMP L-4) 

(DL L-3 NIL (NO-OP)) 

(DL L-4 NIL (NO-OP)) 

(PUSH-LOCAL ANS) ; ans := ans + i; 

(PUSH-LOCAL ANS) 

(PUSH-LOCAL I) 

(CALL MG- INTEGER- ADD) 

(PUSH-GLOBAL C-C) 

... [14 more support routines] . . . 
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FM8502 Program Description 


(M- STATE 

' (B000000000000000000000010X1000000 
BOOOOOOOOOOOOOOOOOOOOOOlllllOOOOO 
BOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO 
BOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO 

r r r r 

' (B00000000000011U1000001001000001 
B00600000000011111000001001011011 
B00000000000011111000000010011000 
BOOOOOOOOOOOOOOIIOOOOOOOOIOOOOOIO 
BOOOOOOOOOOOOlllllOOOOOOOlOlllOll 
BOOOOOOOOOOOOlllllOOOOOOOlOOllOOO 
BOOOOOOOOOOOOlllUOOOOOOOlOOOllOO 
BOOOOOOOOOOOOl 1111000001001101 100 
BOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO 
B00000000000011111000001001101100 
B0000000000000001000 0000010100101 
B00000000000000000000010001001101 
B0000000000000111000000001 0000101 
BOOOOOOOOOOOOl 1111000000000001000 
BOOOOOOOOOOOOl 11 11 000000001000001 
BOOOOOOOOOOOOl 11 11000000000011010 
B000000000000111 11000000000100010 
B00000000000011 111 000001001011011 
BOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOl 
BOOOOOOO 0000011111000001001101100 
BOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO 
B0000000000001111100000100 1101100 
B00000000000000010000Q00010100101 
BOOOOOOOOOOOOOOOOOOOOOIOOO 1001101 
B00000000000001110000000010000101 
BOOOOOOOOOOOOl 1111000000000001000 
BOOOOOOOOOOOOl 11 11000000001000001 
B000000000000111110000000Q0011010 
B000000000000111110000000001 00010 
B00000000000011111000001001011011 
B00000000000011111000000010011000 
B00000000000000110000000010000010 
BO 0000 0000 0001 111 1000000 0101 11 Oil 
B00000000000011111000000010011000 
B00000000000011111 000000010001100 
BOOOOO 0000000111 1100 0001 00 1101 100 
B00000000000000000000000000000010 
B000000000000111 11000001001101100 
B00000000000000010000000010100101 
B00000000000000000000010001001101 
B00000000000001110000000010000101 
B0000000000001111100000001 0011011 
B00000000000010110000000101101011 
BOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOl 
BOOOOOOOOOOOOOOO 00000000000000000 
B00000000000011111000001001101100 

... [10 nor* pag*a ] ... ) ) 


BOOOOOOOOOOOOOOOOOOOOOO 1111100011 
BOOOOOOOOOOOOOOOOOOOOO 10001000111 
BOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO 
BOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO) 

BOOOOOOOOOOOOl 11 11000000000100010 
B00000000000011111000001001011011 
BOOOOOOOOOOOOOOOOOOOOQOOOOOOOOOOl 
BO 00 00 00 0000 01 11 11 00 00 01 00 1101 100 
B00000000000000010000000010100101 
BOOOOOOOOOOOOOOOOOOOOO 1000 1001101 
B00000000000001110000000010000101 
B00000000000011111000000010011000 
B00000000000000110000000010000010 
B00000000000011111000000010111011 
BOOOOOQOOOOOOlllllOOOOOOOlOOllOOO 
BOOOOOOOOOOOOl 11 11000000010001100 
B00000000000011111000000110011011 
BOOOOOOOOOOOOOOO 000000000000 11 100 
B00000000000011111000000000111010 
BOOOOOOOOOOOOl 1111000001001000001 
BOOOOOOOOOOOOl 1111000001001011 Oil 
B00000000000011111000000010011000 
B000000000000001 10000000010000010 
BOOOOOOOOOOOOl 1111000000010011000 
B00000000000000110000000010000010 
B00000000000011111000000010111011 
B00000000000011111000000010011000 
B000000000000111 11 000000010001 100 
B00000000000011111000000110011011 
B00000000000000000000000000110100 
B000000000000111 11000000000111010 
B00000000000011111 000001001000001 
B00000000000011111000001 001011011 
B000000000000111 11000001 001011011 
B00000000000000000000000000000001 
BOOOOOOOOOOOOl 1111000001001101100 
BOOOOOOOOOOOOOOO 100000 00010100101 
B00000000000000000000010001001101 
B00000000000001110000000010000101 
B00000000000011111000000010011000 
B000000000000001 10000000010000010 
B00000000000011111000000010111011 
B00000000000011111000000010011000 
B000000000000111 11000000010001100 
B00000000000011111000001001101100 
B000000000000101 10000010101100100 
B000000000000010 11000000 101111000 
B00000000000011111000000010011000 
B000000000000001 10000000010000010 
B0000000000001111100000001 01 11011 
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Mathematical Requirements 

• Unambiguous: Requirements have a well- 
defined interpretation that tells exactly what 
they do say. 

• Analyzable: Do the requirements say the "right" 
thing? 

R(x,y) -> good_thing (x, y) 

• Consistency: Requirements contain no 
contradictions. 

• Enable modeling a program component before 
building it (and thereby save the time and cost 
of designing a poor program.) 

To get these benefits, the requirements notation 

must have a rigorous mathematical foundation 

(semantics). 
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Design » Requirements 

• There is more to designing a digital system than 
just stating and refining mathematical 
requirements . 

• One must still construct a program for some 
machine . 

• Mathematical models of commonly used 
languages and machines are still very scarce. 


note-82. mss: 35 


08/27/90 



Summary 

For either design of a new system or operation of 
an old one, mathematical modeling of digital flight 
control systems offers 

Benefits: early error detection 

• Saves time 

• Saves money 

• Saves operational disruption 

• Saves operational mishaps 

Risks: model misrepresents system 

• Inaccurate 

• Incomplete 


V - j 
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Conventional Non-Wisdom 

Use "formal methods" (mathematical modeling) 

• only after a system is built to certify it 

• only before a system is built to design it 

• to guarantee perfect system behavior 

• to eliminate the need for testing 
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